Freedom Box Project: Vision Statement

We live in a world where our use of the network is mediated by organizations that often do not have our best interests at heart. By building software that does not rely on a central service, we can regain control and privacy. By keeping our data in our homes, we gain useful legal protections over it. By giving back power to the users over their networks and machines, we are returning the Internet to its intended peer-to-peer architecture.

In order to bring about the new network order, it is paramount that it is easy to convert to it. The hardware it runs on must be cheap. The software it runs on must be easy to install and administrate by anybody. It must be easy to transition from existing services.

There are a number of projects working to realize a future of distributed services; we aim to bring them all together in a convenient package.

http://wiki.debian.org/FreedomBox

www.youtube.com/watch?v=gORNmfpD0ak

I arrived at his office, and found he purchased a shiny new Cisco Linksys WRT320N router for $100 from Futureshop. It looks sleek and sexy. I disconnected his D-Link DIR-615, and proceeded to setup the new one. After getting through the setup, enabling the wireless, and specifying which systems would obtain which IP address, I found that the router can only block 4 domains.

It’s situations like these where you realize there is a good solution for all of this, and it happens to start with Vyatta. I brought over a computer with a second network card installed. Ran through the main setup of the router. Now, for domain or URL filtering, my understanding is that there is no limit with Vyatta.

You run the commands below on the internal interface that connects the switch to the router.

set service webproxy listen-address 10.10.0.1
set service webproxy url-filtering squidguard local-block twitter.com
set service webproxy url-filtering squidguard local-block facebook.com
set service webproxy url-filtering squidguard local-block youtube.com
commit

There is also some extra cool features if you are looking for an added level of security. SquidGuard allows you to use blacklists with Squid, and the great thing about it is that its totally free. One of those cool features is the ability of blocking adware and spyware, and not having to figure out what to block. You can use the commands below to use the lists managed by Squid.

set service webproxy listen-address 10.10.0.1
set service webproxy url-filtering squidguard block-category ads
set service webproxy url-filtering squidguard block-category gambling
set service webproxy url-filtering squidguard block-category malware
set service webproxy url-filtering squidguard block-category phishing
set service webproxy url-filtering squidguard block-category porn
set service webproxy url-filtering squidguard block-category spyware
set service webproxy url-filtering squidguard block-category warez
commit

And with a few lines of commands, you can protect your network better.

Routers at the access layer are pretty straight forward to get up and running.

Configuring the External Interface (eth0)

In the previous setup, we set the internal interface to be on the 172.16.0.0/29 subnet. And since the internal interface of the distribution router connects to the external interface of the access router, we’ll go ahead and set the external IP here.

set interfaces ethernet eth0 address 172.16.0.2/29
commit

Configuring the Internal Interface (eth1)

We’ll now configure the internal address, however the subnet mask will not be /29. Since this tutorial is for setting up a network at home, l’m going to assume there aren’t too many people with over 30 computers at home. Although this is pretty high to begin with, its suitable.

set interfaces ethernet eth1 address 192.168.0.1/27
commit

The /27 will allow us to have a total of 30 computers. Here’s the breakdown.

Network Address: 192.168.0.0
Broadcast Address: 192.168.0.31
Hosts (Computers): 192.168.0.1 – 192.168.0.30
Subnet Mask: 255.255.255.224

Configuring DHCP

I covered this step in the first part of the series. I did mention that it wasn’t required for a core router, but included the configurations since this is a home network. Below are the configurations.

set service dhcp-server
set service dhcp-server shared-network-name Pool1
set service dhcp-server shared-network-name Pool1 subnet 192.168.0.0 default-router 192.168.0.1
set service dhcp-server shared-network-name Pool1 subnet 192.168.0.0 start 192.168.0.2 end 192.168.0.30
set service dhcp-server shared-network-name Pool1 subnet 192.168.0.0 exclude 192.168.0.1
set service dhcp-server shared-network-name Pool1 subnet 192.168.0.0 dns-server 208.67.220.220
set service dhcp-server shared-network-name Pool1 subnet 192.168.0.0 dns-server 208.67.222.222
commit

As mentioned earlier, the 208.67.220.220 and 208.67.222.222 address are free DNS servers from OpenDNS.

Configuring NAT

This is the last part of the configuration, and I also covered this in the first part. NAT (Network Address Translation) will enable the computers to talk to the outside world, or in our case, get on the internet.

set service nat rule 100 type masquerade
set service nat rule 100 type source address 192.168.0.0/27
set service nat rule 100 type source outbound-interface eth0
commit

This ends the series on setting up a network at home using the internetworking model using Vyatta. Although, it is unlikely that you would implement this at home (because it requires three computers), it is primarily to get an understanding of how to differentiate between the different functions that routers perform at the various layers. It is also meant to show us how to get the same functionality of a Cisco environment without using Cisco equipment.

Moving forward, what are the primary differences between the distribution layer and the core and access? The distribution layer is where all the routing, policies and filtering take place.

Setting up the Distribution Router

Similar to the core router, we’re going to need a computer that is equipped with two network interfaces.

• configure the external interface
• configure the internal interface

Going forward from the Core Configuration

In Part 1, we configured the core router to have an external address of 1.1.1.1/24 and an internal address of 10.0.0.1/29. Ensure you follow the same steps of installing Vyatta on the machine and getting to the configuration page in order to proceed.

Configuring the External Interface (eth0)

Here, we’ll configure the external address of the router to be on the same subnet as the internal address of the core router.

set interfaces ethernet eth0 address 10.0.0.2/29
commit

Configuring the Internal Interface (eth1)

We can now configure the internal address in the same way.

set interfaces ethernet eth1 address 172.16.0.1/29
commit

So, from here we’ve set our internal network to be 172.16.0.1 with a subnet address of 255.255.255.248. This distribution router has the .1 address, and so the access router will get the .2 address.

Policies and Filtering

This section can get quite lengthy based on the options you want to implement in your setup.

Instead of re-inventing the wheel, I’m going to include a few configuration settings from resources that are already available on the Carbonwind.net site. For the complete list of firewall configurations, please visit the Vyatta VC5 – Simple Firewall and NAT Rules.

Keep in mind that the difference with the configurations below is that the subnet of the internal network is set to 192.168.40.0.

Allow DNS name resolution for Vyatta itself
Maybe you obtain the IP address on your Internet facing interface through DHPC, so you do not know the IP addresses of the ISP DNS servers, as their IP addresses might change.

set firewall name eth0local rule 10 action accept
set firewall name eth0local rule 10 protocol udp
set firewall name eth0local rule 10 source port 53
set firewall name eth0local rule 10 state established enable
set firewall name eth0local rule 10 state related enable
set interfaces ethernet eth0 firewall local name eth0local

Or maybe you have a static IP address on your Internet facing interface, and you know the IP addresses of the ISP DNS servers. Bellow, we have assumed that the public IP address on eth0 interface is 192.168.22.240 and the IP address of the ISP server is 192.168.22.1.

set firewall name eth0local rule 10 action accept
set firewall name eth0local rule 10 protocol udp
set firewall name eth0local rule 10 source port 53
set firewall name eth0local rule 10 source address 192.168.22.1
set firewall name eth0local rule 10 destination address 192.168.22.240
set firewall name eth0local rule 10 state established enable
set firewall name eth0local rule 10 state related enable
set interfaces ethernet eth0 firewall local name eth0local

Or you may use internal DNS server(s) and you’ve configured on Vyatta this DNS server(s) as name server(s)(note that in addition to the rule bellow you need to allow DNS through Vyatta from the internal DNS, search this article for that).

set firewall name eth1local rule 10 action accept
set firewall name eth1local rule 10 protocol udp
set firewall name eth1local rule 10 source address 192.168.40.2
set firewall name eth1local rule 10 source port 53
set firewall name eth1local rule 10 destination address 192.168.40.1
set firewall name eth1local rule 10 state established enable
set firewall name eth1local rule 10 state related enable
set interfaces ethernet eth1 firewall local name eth1local

Allow NTP for Vyatta itself
Say you’ve configured an NTP server on Vyatta. By default there is an external NTP server configured.

For this configured NTP server, we can add on the Internet facing interface a firewall rule allowing returning NTP traffic(NTP server’s replies) like (bellow, we have assumed that the public IP address on eth0 interface is 192.168.22.240 and the IP address of the NTP server is 69.59.150.135):

set firewall name eth0local rule 10 action accept
set firewall name eth0local rule 10 protocol udp
set firewall name eth0local rule 10 source address 69.59.150.135
set firewall name eth0local rule 10 source port 123
set firewall name eth0local rule 10 destination address 192.168.22.240
set firewall name eth0local rule 10 state established enable
set firewall name eth0local rule 10 state related enable

set interfaces ethernet eth0 firewall local name eth0local

Allow HTTP and HTTPS for Vyatta itself
Say you want to allow for updates or so, HTTP/HTTPS traffic from Vyatta itself(destined to the Internet). So you need to allow returning HTTP/HTTPS traffic to Vyatta itself on that interface(connections initiated by Vyatta itself, bellow, we have assumed that the public IP address on eth0 interface is 192.168.22.240).

set firewall conntrack-tcp-loose disable

set firewall name eth0local rule 10 action accept
set firewall name eth0local rule 10 protocol tcp
set firewall name eth0local rule 10 source port 80,443
set firewall name eth0local rule 10 destination address 192.168.22.240
set firewall name eth0local rule 10 state established enable
set firewall name eth0local rule 10 state related enable

set interfaces ethernet eth0 firewall local name eth0local

Dynamic IP address from DHCP on an interface

Say, the Internet facing interface(eth0) obtains its IP configuration from a DHCP server.

Basically we need to allow the DHCP server’s reply messages.

set firewall name eth0local rule 10 action accept
set firewall name eth0local rule 10 protocol udp
set firewall name eth0local rule 10 destination port 68
set firewall name eth0local rule 10 source port 67
set firewall name eth0local rule 10 state established enable
set firewall name eth0local rule 10 state related enable

set interfaces ethernet eth0 firewall local name eth0local

I will conclude with this portion of the series here. The next one will look at the Access router and how this can be implemented and deployed in your network.

In my Cisco days, we followed a certain model that is similar to the 3-tier architecture. I won’t go into too much detail here, but it divides up your network into three levels; Core, Distribution, and Access. You must be wondering how we’re going to apply this concept to the home?  Below is a visual representation of what I’ve got in mind. We’ll break this down piece by piece and build each part as we go along.

Typically, the Access Layer can be either switches or routers, depending on your setup. Just so my home network doesn’t get overly complicated, I’m going to leave that later as switches. Also, because this is being implemented in a home, you will notice that there are no redundant links here, ie, dual wan connections, etc.

Setting up the Core Router

For the Core Router, I’m using a computer with two network interfaces. We’re going to

• configure the external interface
• configure the internal interface
• configure ssh access so we can connect to this router later
• configure dhcp (you can skip this and set the distribution router with a static external)
• configure name servers as well as dynamic dns
• configure network address translation

Getting Started

At this stage, I assume you would have already installed Vyatta. Once you’ve got it up and running, you should be able to logged in and see the main list of options. To begin configuring the router, type

configure

Configuring the External Interface (eth0)

We’ll start by configuring the external address. Because most homes don’t have a static ip address assigned to them for their internet connection, we’re going to configure our external interface with a dhcp address.

set interfaces ethernet eth0 address dhcp
commit

If you happen to have a static ip, and know your subnet mask, you can enter it as follows

set interfaces ethernet eth0 address 1.1.1.1/24
commit

Configuring the Internal Interface (eth1)

We can now configure the internal address in the same way. However, this time we’ll have to assign an address ourselves.

set interfaces ethernet eth1 address 10.0.0.1/29
commit

So, from here we’ve set our internal network to be 10.0.0.0 with a subnet address of 255.255.255.248. Our core router has the .1 address, and so our distribution router will more than likely get a .2 address. This really isn’t set in stone. But if you feel you want to make it .3 or .6, go right ahead. Basically, all we’re doing here is using a convention that will be easy to remember.

Configuring SSH access

Configuring SSH will allow us to have secure shell access to the router externally. I would set this up instead of Telnet for security purposes. It’s relatively simple. Basically, we want to change the port we connect to from the default (22) to something random, like 30000. Also, I’m going to deny root access to the system. If you wish to have root access, set it to true.

set service ssh
set service ssh port 30000
set service ssh allow-root false
set service ssh protocol-version all
commit

Configuring DHCP

Technically speaking, you want to skip this section all-together. For your core router, you want it to strictly stay on the ball when it comes to doing its job, and this is forwarding packets between the distribution layer to the external network. However, because this is my home network, I’m not overly concerned.

Here, we’ll setup the DHCP server, give it a name (like the pool in Cisco), and the other characteristics.

set service dhcp-server
set service dhcp-server shared-network-name Pool1
set service dhcp-server shared-network-name Pool1 subnet 10.0.0.0 default-router 10.0.0.1
set service dhcp-server shared-network-name Pool1 subnet 10.0.0.0 start 10.0.0.2 end 10.0.0.6
set service dhcp-server shared-network-name Pool1 subnet 10.0.0.0 exclude 10.0.0.1
set service dhcp-server shared-network-name Pool1 subnet 10.0.0.0 dns-server 208.67.220.220
set service dhcp-server shared-network-name Pool1 subnet 10.0.0.0 dns-server 208.67.222.222
commit

For the DNS servers, I’ve set it up here to point to OpenDNS. I setup all my routers to use their DNS servers. You don’t have to specify it here, you can set it as your router and specify the name servers in your global configuration as we will be doing in the next step.

Configuring DNS

This is pretty straight forward. We’ll go ahead and plug in the OpenDNS servers in here. Vyatta supports several DDNS service providers right out of the box. I’m going to add the configurations to connect to DynDNS for our dynamic dns updates.

set system name-server 208.67.220.220
set system name-server 208.67.222.222
set service dns dynamic interface eth0 service dyndns
set service dns dynamic interface eth0 service dyndns login your-login-name
set service dns dynamic interface eth0 service dyndns password your-password
set service dns dynamic interface eth0 service dyndns host-name your-hostname.domain.com
commit

Configuring NAT

We’re using network address translation so that all our internal computers can talk to the outside world as though they are the router itself. Or, to break it down even further, we don’t have enough public ip address to pass around, but the private ip addresses are endless. You and your neighbor could have 10 or more computers and have the exact same private addresses, but you both have one unique public address. The outside world only talks to public addresses, and this is where NAT kicks in. Your router will basically facilitate that communication for you.

There are several types of NAT. We won’t get complicated here. So, we’ll just setup an SNAT (source nat).

set service nat rule 100 type masquerade
set service nat rule 100 type source address 10.0.0.0/29
set service nat rule 100 type source outbound-interface eth0
commit

Wrapping things up

We’ve now finished configuring the core router. Save all your configurations by typing (save). In the next post, we’ll look at configuring the distribution router.